b'Final Memorandum on the Audit of the Reporting of NASA\xe2\x80\x99s National Security Systems\n(IG-09-024, August 28, 2009)\n\nOA initiated this audit because of an issue identified during our audit of NASA\xe2\x80\x99s compliance\nwith fiscal year (FY) 2008 requirements of the Federal Information Security Management Act\n(FISMA). Each year, the Office of Management and Budget (OMB) provides a FISMA\nreporting template for agencies to use in their annual FISMA reporting. The issue we identified\nrelated to the Agency\xe2\x80\x99s including information on its national security systems in the responses\nprovided to OMB.\n\nWe found that NASA did not comply with FISMA requirements for the reporting of national\nsecurity systems for FYs 2007 and 2008 because NASA had not clearly assigned this\nresponsibility to a specific NASA office. Further, NASA had not formally designated an entity\nwith appropriate resources to complete the annual independent evaluations of its national\nsecurity systems required by FISMA. We notified the Agency about this issue in February 2009,\nand NASA immediately assigned the responsibility to the Office of the Chief Information\nOfficer (OCIO). In response to our draft report, NASA assigned the Office of Protective\nServices (OPS) to work with the OCIO to gather and compile the required information to report\nto OMB and stated that a formal agreement with an independent entity was being developed.\nWe consider management\xe2\x80\x99s proposed actions to be responsive and will close the related\nrecommendation after verifying that the Agency has established a formal agreement with an\nentity with the appropriate resources to conduct the annual independent evaluation of NASA\xe2\x80\x99s\nnational security systems.\n\nWe also reviewed the certification and accreditation (C&A) program for NASA\xe2\x80\x99s national\nsecurity systems and determined that it generally provided adequate information security\nprotection. However, we found some systems that lacked appropriate C&A documentation,\nwhich has been addressed. All of the report\xe2\x80\x99s recommendations are resolved or closed. As a\nresult, NASA has reasonable assurance that its national security systems comply with national-\nlevel security requirements and maintain an appropriate security posture against current threat\nassessments at an acceptable risk level.\n\nThe report contains NASA Information Technology/Internal Systems Data that is not routinely\nreleased under the Freedom of Information Act (FOIA). To submit a FOIA request, see the\nonline guide.\n\x0c'